From owner-freebsd-questions Wed Mar 5 11:51: 0 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C155B37B401 for ; Wed, 5 Mar 2003 11:50:57 -0800 (PST) Received: from hotmail.com (oe40.law12.hotmail.com [64.4.18.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 479BB43F85 for ; Wed, 5 Mar 2003 11:50:57 -0800 (PST) (envelope-from b1henning@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 5 Mar 2003 11:50:56 -0800 X-Originating-IP: [192.216.212.193] From: "Brian Henning" To: "freebsd" References: <200303051114.25796.jeff@walters.name> Subject: Re: firewall revisited Date: Wed, 5 Mar 2003 13:48:45 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-ID: X-OriginalArrivalTime: 05 Mar 2003 19:50:56.0502 (UTC) FILETIME=[89966960:01C2E350] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > how can i have the script /etc/ipfw.rules run instead of /etc/rc.firewall. > > can i change > > firewall_type="OPEN" to firewall_type="" and create the entry > > firewall_script="/etc/ipfw.rules"? > > I have that working right now with: > > firewall_enable="YES" > firewall_script="/etc/rc.firewall.local" > > ... where /etc/rc.firewall.local contains the customized ipfw commands. > > > what i would like to do is block all access to services on the router like > > httpd, sshd, etc > > the other think i would like to do is port forward ssh from another machine > > and allow access of that from an external network. > > does something like this make sense? > > thanks, > > If you are using NAT then the -redirect_port option to natd will do that (ie. > forward incoming port 22 connections to an internal machine), which can be > set in /etc/rc.conf in the natd_flags="-redirect_port ..." variable. You > have to create a corresponding ipfw rule to allow the traffic after natd > rewrites the destination IP to your internal LAN machine, which it looks like > you have done below, except the "from" would be "any" not "ROUTER_IP". It > will be the IP of the outside machine trying to connect to port 22. > > I have a similar port forward set up. Early in the firewall rules allow all > established TCP connections, and then later allow the setup for the initial > SSH connection. 10.0.1.2 would be a machine behind the firewall to receive > SSH connections, and ed0 would be the external internet interface. > > in /etc/rc.conf: > natd_flags="-redirect_port tcp 10.0.1.2:ssh ssh" > > in the firewall script: > ipfw -q flush > ipfw add 00050 divert natd ip from any to any via ed0 > ipfw add 00100 allow tcp from any to any via ed0 established > > ipfw add 01000 allow tcp from any to 10.0.1.2 ssh setup > > ipfw add 65530 deny log ip from any to any > > I winged this so forgive any errors, but it's based on what I have working, > including a rule to deny and log everything by default at the bottom. > [snip] Jeff, you must have your firewall_type set to the default then in rc.conf or /etc/defaults/rc.conf. does you setup not run the standard rc.firewall file in /etc? does this rule allow any access to the outside network? ipfw add 00100 allow tcp from any to any via ed0 established thanks, brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message